aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2007-10-13 12:25:31 +0000
committerMichael Niedermayer <michaelni@gmx.at>2007-10-13 12:25:31 +0000
commit4d570f94ba055d75f469aacadfccf0bdffcbae6c (patch)
tree4c47446850acbd74d7835765c4801f47cb9bee80
parent972c5f9e10107650e9fb3544f22ce1e8370e9d80 (diff)
downloadffmpeg-4d570f94ba055d75f469aacadfccf0bdffcbae6c.tar.gz
prevent infinite loop and memcpy of negative amounts
fixes issue194 Originally committed as revision 10726 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r--libavcodec/aac_parser.c3
-rw-r--r--libavcodec/ac3_parser.c3
2 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/aac_parser.c b/libavcodec/aac_parser.c
index d6cf2693fc..ac806931ec 100644
--- a/libavcodec/aac_parser.c
+++ b/libavcodec/aac_parser.c
@@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate,
skip_bits1(&bits); /* copyright_identification_bit */
skip_bits1(&bits); /* copyright_identification_start */
size = get_bits(&bits, 13); /* aac_frame_length */
+ if(size < AAC_HEADER_SIZE)
+ return 0;
+
skip_bits(&bits, 11); /* adts_buffer_fullness */
rdb = get_bits(&bits, 2); /* number_of_raw_data_blocks_in_frame */
diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c
index d97c86e01b..034a0bdf26 100644
--- a/libavcodec/ac3_parser.c
+++ b/libavcodec/ac3_parser.c
@@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate,
return 0; /* Currently don't support additional streams */
frmsiz = get_bits(&bits, 11) + 1;
+ if(frmsiz*2 < AC3_HEADER_SIZE)
+ return 0;
+
fscod = get_bits(&bits, 2);
if (fscod == 3) {
fscod2 = get_bits(&bits, 2);